W3C

Web Payments WG

26 May 2022

Attendees

Present
Adrian Hope-Bailie (Fynbox), David Benoit, Clinton Allen (American Express), Ian Jacobs (W3C), Matt Crothers (American Express), Nick Telford-Reed, Ryan Watkins (Mastercard), Stephen McGruer (Google), Sue Koomen (American Express), Tomoya Horiguchi (JCB)
Regrets
Praveena Subrahmanyam
Chair
Ian
Scribe
Ian

Meeting minutes

TPAC

We review candidate TPAC topics in this week's agenda.

NickTR: Digital identity an interesting topic
… PSD3 starting up

NickTR: We could revisit DIDs and VCs
… I don't have a specific hypothesis yet but I'd like to explore further with likeminded folks at TPAC

Ian: Any canada-specific initiatives?

ACTION: David to look into interesting digital identity initiatives in Canada

Ian: I was chatting with PCI; may invite them

<nicktr> this is one interesting whitepaper from Interac (wrt to Canada, Digital ID and payments)

Ian: Anyone interested in Web3?

Adrian: I am interested in hearing a definition first

<adrianhb> Suggest reaching out to Uchi from Coil for update on Web Monetization (he is based in Canada) or Alex from the Interledger Foundation

Ian: Any other ideas?

<adrianhb> Payment Request beyond cards sounds interesting. Lots of A2A payments springing up in places where Open Banking is getting traction

NickTR: On behalf of the co-Chairs; it's been a while since we got together. I have valued the hallway conversations at our FTF meetings
… we are keen to create as much opportunity as we can for those conversations.
… we the co-chairs can work to drum up guests and participants
… we hope to be able to create some larger conversations among the four groups that will be there
… is there appetite to hold an in-person meeting?

clinton: In terms of travel, EMVCo met in Berlin and it was well-attended and a really good meeting

QUESTION: Should we hold an in-person meeting in Vancouver (likely 12, 13, maybe 14 Sep)

<smcgruer> +1 to in person meeting (biased because my favourite gelato place in the world is in Vancouver)

<smcgruer> +21

<nicktr> +1

<benoit> +1

<Ian> +1

<adrianhb> +1

<clinton> +1

<MattCrothers> +1

<rwatkinsma> +1 but will likely be unable to attend myself, not sure about other MA participants

[We note strong support!]

ACTION: Ian to confirm we will hold an in-person meeting at TPAC

From browser cache to FIDO/WebAuthn integration

smcgruer_: I shared with the WG this document: From browser cache to FIDO/WebAuthn integration.

smcgruer: I put this together to capture the various complexities in the relationship between SPC and WebAuthen/FIDO. I've charted a path from "current hack" to "good integration"
… I think a lot of this will involve joint discussions with WebAuthn/FIDO
… disclosure: this is not a formal plan; these are my thoughts

NickTR: Are you attending FIDO meetings?

smcgruer: No; Christiaan Brand representing us
… there is a pull request out there to add the 3p bit to CTAP; awaiting an outcome there

Ian: What would be the next SPC/WebAuthn steps if that goes well?

smcgruer: We'd start to ask the platform authenticators to implement that ability.
… second track is that there is other behavior currently in SPC that we should move to FIDO:

a) Creation of a credential in a cross-origin iframe; we should ask them to reconsider that capability. Likely contentious but we should start having that conversation.

b) Then we can decide in the WPWG whether we want to start transitioning to allow people to separate the concept of "payment" and "3p payment".

clinton: I'm trying to understand that distinction.

smcgruer: The question is whether a credential can be used (1) only by a relying party in 1p or 3p context versus (2) a non-RP in a 3p context.
… we need a new term for this

smcgruer: Today in a browser-caching world as soon as you create an SPC credential it is usable by a 3p. What my proposal document contains as part of milestone 1....we could separate the capabilities. We could simply create a new extension that allows SPC but only by RP.
… the real question today is "I would be using SPC but for the 3p usage!"
… if there's not loud interest today it will be further out

Upcoming meetings

<Ian> Next meeting: 23 June

Please note no meeting on 9 June

Opt-out (issue 172)

https://github.com/w3c/secure-payment-confirmation/issues/172

smcgruer: We've got some ideas behind a flag and experimentation now possible.
… flag is passed to SPC
… optional opt-out
… if the user clicks "opt-out" there's a distinct error value
… to stop people from doing silent credential matching, there is a notification to the user

clarification: the opt-out button is also available in the "no matching credentials" notification
… that is, the API caller does not know which UX the user got (1) matching credential (2) no matching credential

IJ: What would we need to be able to close 172?

smcgruer: Satisfaction with the proposal or saying we don't need anything at all.
… we also don't have official sign-off yet internally on the proposed approach.

ACTION: smcgruer to add to issue 172 that there's an experimental feature and to invite feedback.

Getting SPC to CR

We review open SPC issues not labeled post-v1.

Ian: issue 12. Post v1?

smcgruer: I would like to see this post v1 from SPC POV. I think that FIDO folks are thinking that where browser knows about an authenticator we have all the bits in place. But it's non trivial complexity from an SPC spec perspective

ACTION: Ian to work with Stephen on a pull request to characterize an expectation about roaming authenticator support after v1

Ian: What about 154? Is that mostly for WebAuthn folks?

Ian: Can we close 157 if the CTAP bit lands?

smcgruer: the bit landing won't make it work; there's more to do on the CTAP side (years)...in other words...there's a long path

smcgruer: Do the chairs have a concept of what the CR version of SPC will look like?
… e.g., no browser caching before CR?

ACTION: Ian to work with Chairs to describe the desired state of the specification at CR

NickTR: My personal aspiration is to have a specification that we can get to Rec with 2 implementations

nicktr: I don't know what that implies for browser cacheing.
… I also have some queasiness regarding SPC-as-payment-method

NickTR: ...but broadly, if we feel we can get it over the line, that would be a helpful signal to people, I'd be satisfied

smcgruer: Very good answer. I think then there are two questions

1) First there is the experience of a Web developer trying to use the API. The question there is "if I use this thing will it change on me in 1 year?"
… that's a great question that includes both the PR API question, but also the powers of 3p v 1p usage.

2) The implementer base (browsers)
… there, aside from their interest, I wonder what the concrete steps needed are. For example, platform-level support may or may not be required.

Summary of action items

  1. David Benoit to look into interesting digital identity initiatives in Canada
  2. Ian to confirm we will hold an in-person meeting at TPAC
  3. smcgruer to add to issue 172 that there's an experimental feature and to invite feedback.
  4. Ian to work with Stephen on a pull request to characterize an expectation about roaming authenticator support after v1
  5. Ian to work with Chairs to describe the desired state of the specification at CR
Minutes manually created (not a transcript), formatted by scribe.perl version 185 (Thu Dec 2 18:51:55 2021 UTC).